4 Chatbot Security Measures You Absolutely Need to Consider
Are your chatbots secure?
Join the DZone community and get the full member experience.Join For Free
It will come as no surprise that chatbots are everywhere and they are here to stay! In fact, 80 percent of companies want to have some type of chatbot implemented by 2020.
Chatbots are our friendly assistants that make life easier by helping us book flights, appointments, shop, get answers to our questions, etc. They also allow companies to lower the cost in customer service and have their customer support agents attending to more complex situations.
Typically, chatbots that are used in industries such as retail, banking, financial services, and travel handle very important data such as credit/debit cards, SSN, bank accounts, and other Sensitive PII (Personally identifiable information). The collection of this type of data is vital for the chatbot to do its job; therefore, chatbots and others digital assistants become an attractive target to be exploited by an attacker to steal users’ information.
Just like any new technology, the benefit comes with great responsibility and cyber-security risks. For this reason, it is very important to know the security practices that are commonly implemented when working with chatbots. For the most part, chatbots don’t present security issues that haven’t already been discovered and properly mitigated.
Being aware of the security practices not only helps you to ensure that your chatbot is secure but also gives you peace of mind that your chatbot will not be at risk.
Types of Security Concerns
Security concerns fall into two main categories:
Threats are usually defined as ways that a system can be compromised. Threats can include events such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privileges, and many more.
After an attack, hackers can threaten to expose information or sell personal information on the deep web. Each different attack should be mitigated with their respective techniques.
Vulnerabilities are defined as ways that a system can be compromised that are not properly mitigated. A system can become vulnerable and open to attacks when it is not well maintained, has poor coding, lacks protection, or due to human errors. The most effective way to mitigate vulnerabilities is to implement SDL (Security Development Lifecycle) activities into the development lifecycle.
It is very important to be aware of the different attacks that can be exploited in these two categories. Security awareness is one of the most important things that a company should invest in, but security measures often go unnoticed until an attack happens.
In 2017, the average total cost of a successful cyber-attack was over $5 million, or $301 per employee. (Ponemon Institute)
Better safe than sorry!
Chatbots can offer a solution to some of the well-known security weaknesses. Encryption and other security measures minimize the vulnerability of a system through highly secure protocols. As a result, chatbots not only offer a great user interface for conversations but also provide security to some vulnerabilities.
Best Security Practices When Working With a Chatbot
1. End-to-End Encryption
It is very important to have E2EE; this ensures that the whole conversation will be encrypted. Data in transit can also be tampered and spoofed; different protocols exist to provide encryption while addressing these issues — we will take a look at them later. Encryption, in some cases, might need to be used with authentication and integrity protection schemes.
As you may know, chatbots can also connect to channels like Facebook Messenger, Telegram, Slack, etc. In this case, the ideal mitigation for E2E is to only allow chatbots to connect to channels that support data encryption. Article 32 (a) of the General Data Protection Regulation (GDPR) specifically requires that companies take measures to pseudonymize and encrypt personal data.
The good news is that, thanks to regulations like GDPR, more companies are paying attention to data encryption and, therefore, giving chatbots more channels to connect to in a secure manner. For example: in 2016, Facebook Messenger introduced the new feature called “Secret Conversations” that enables E2E based on Signal Protocol developed by Open Whisper Systems.
2. User Identity Authentication and Authorization
User authentication is used to identify that a user is verified with valid and secure login credentials, such as a username and password. The credentials are exchanged for a secure authentication token; this token is used throughout the user’s session.
One of the security measures used in chatbots, especially on the banking cases, is authentication timeouts, when the generated token can only be used for a preset amount of time. After that, the system will be forced to make a new one.
Two-factor authentication is another way to verify the identity of a user by asking them to verify their account through an email and text message. This authentication technique also helps with authorization by granting the right person access and keeping the information in the right hands.
3. Self-Destructive Messages
When Sensitive PII (Personally identifiable information) is being transmitted, the message with this information will be destroyed after a set amount of time. This type of security measure is crucial when working with banking and other financial chatbots.
Article 5 (e) of the General Data Protection Regulation (GDPR) states that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed.
Another GDPR compliance measure is to have an “intent level” of privacy. The user can exchange personal information but the data will not be revealed even from the backend, only the intents from the user are logged and kept for audit purposes.
4. Secure Protocols
We know that network security can often be a tough topic; you can think of the purpose of secure protocols as to transfer data from point A to point B without being intercepted, read by unauthorized individuals, altered or deleted.
HTTPS is the web protocol ensuring the privacy and integrity of our data. This protocol transfers data over Hypertext transfer protocol (HTTP) through an encrypted connection by Secure Sockets Layer (SSL) or Transport Layer Security (TSL).
Concern for security is very important in times of new technologies, as they may bring new threats. However, companies are taking greater safety measures to ensure that users’ information is safe. Regulations such as GDPR, California Consumer Privacy Act (CCPA), and others are enforcing data security policies that obligate companies to protect customers’ data.
Even though chatbots are relatively new technology, the security practices that stand behind them have been used and proven to be effective for many decades. This gives our users peace of mind that their data will be handled in a secure manner.
Happy secure bot building!
Published at DZone with permission of Paul Pinard. See the original article here.
Opinions expressed by DZone contributors are their own.